Three of the primary security control types that can be implemented are.
A.
Supervisory, subordinate, and peer.
B.
Personal, procedural, and legal.
C.
Operational, technical, and management.
D.
Mandatory, discretionary, and permanent.
Get 50% Discount on All Your Purchases
at PrepAway.com - Latest Exam Questions
This is ONE TIME OFFER
50%
Please explain each in detail
0
0
SY0-401. CONTROL TYPES.
The term access control refers to broad range of controls that perform such tasks as ensuring that only authorized users can log on and preventing unauthorized users from gaining access to resources. Controls mitigate a wide variety of information security risks.
Whenever possible, you want to prevent any type of security problem or incident. Of course, this isn’t always possible, and unwanted events occur. When they do, you want to detect the events as soon as possible. And once you detect an event, you want to correct it.
As you read the control descriptions, notice that some are listed as examples of more than one access-control type. For example, a fence (or perimeter-defining device) placed around a building can be preventive control (physically barring someone from gaining access to a building compound) and/or a deterrent control (discouraging someone from trying to gain access).
DETERRENT.
A deterrent access control is deployed to discourage violation of security policies. Deterrent and preventive controls are similar, but deterrent controls often depend on individuals deciding not to take unwanted action. In contrast, a preventive control actually blocks the action. Some examples include policies, security-awareness training, locks, fences, security badges, guards, mantraps, and security cameras.
— policies,
— security-awareness training,
— locks,
— fences,
— security badges,
— guards,
— mantraps,
— security cameras
PREVENTIVE.
A preventive access control (or preventative access control) is deployed to thwart or stop unwanted or unauthorized activity from occurring. Examples of preventive access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties, job rotation, data classification, penetration testing, access-control methods, encryption, auditing, presence of security cameras or CCTV, smart cards, callback procedures, security policies, security-awareness training, antivirus software, firewalls, and IPSs.
— security policies,
— security-awareness training,
— locks,
— fences,
— biometrics,
— mantraps,
— lighting,
— alarm systems,
— penetration testing,
— access-control methods,
— data classification,
— auditing,
— separation of duties,
— job rotation,
— encryption,
— smart cards,
— callback procedures,
— antivirus software,
— firewalls,
— IPSs.
— presence of security cameras or CCTV,
DETECTIVE.
A detective access control is deployed to discover or detect unwanted or unauthorized activity. Detective control operate after the fact and can discover the activity only after it has occurred. Examples of detective access controls include security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation, mandatory vacations, audit trails, honey pots and honey nets, IDS, violation reports, supervision and reviews of users, and incident investigations.
— security guards,
— motion detectors,
— violation reports,
— incident investigations
— audit trails,
— job rotation,
— mandatory vacations,
— supervision and reviews of users,
— honey pots and honey nets,
— IDS,
— recording and reviewing of events captured by security cameras or CCTV,
COMPENSATING.
A compensating access control is deployed to provide various options to other existing controls to aid enforcement and support of security policies. They can be any controls used in addition to, or place of, another control. For example, an organizational policy may dictate that all PII must be encrypted. A review discovers that that a preventive control is encrypting all PII data in databases, but PII transferred over network is sent in cleartext. A compensation control can be added to protect the data in transit.
Additional categories of security control include CORRECTIVE, RECOVERY, and DIRECTIVE.
CORRECTIVE.
A corrective access control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. It attempts to correct any problems terminating malicious activity or rebooting a system. They also include antivirus solutions that can remove or quarantine a virus, backup and restore plans to endure that lost data can be restored, and active IDs that can modify environment to stop an attack in progress. The access control is deployed to repair or restore resources, functions, and capabilities after a violation of security policies.
RECOVERY.
Recovery controls are an extension of corrective controls but have more advanced or complex abilities. Examples of recovery access controls include backups and restores, fault tolerant drive systems, system imaging, server clustering antivirus software, and database or virtual machine shadowing.
— backups and restores,
— fault tolerant drive systems,
— system imaging,
— server clustering,
— antivirus software,
— database or virtual machine shadowing.
DIRECTIVE.
A directive access control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples of directive access controls include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.
— security policy requirements or criteria,
— posted notifications,
— escape route exit signs,
— monitoring,
— supervision,
— procedures.
TECHNICAL.
Controls can be implemented administratively, logically/technically, or physically. Any of the access control types mentioned previously can include any of these types of implementation.
Technical or logical access involves hardware or software mechanisms used to manage access and provide protection for resources and systems. As the name implies, it uses technology. Examples of logical or technical access controls include authentication methods (such as usernames, passwords, smart cards, and biometrics), encryption, constrained interfaces, access control lists, protocols, firewalls, routers, IDs, and clipping levels.
— authentication methods (such as usernames, passwords, smart cards, and biometrics),
— encryption,
— constrained interfaces,
— access control lists,
— clipping levels.
— protocols,
— firewalls,
— routers,
— IDSs,
ADMINISTRATIVE.
Administrative access controls are policies and procedures defined by an organization’s security policy and other regulations or requirements. They are sometimes referred to as management controls. These controls focus on personnel and business practices. Examples of administrative access controls include policies, procedures, hiring practices, background checks, data classifications and labeling, security awareness and training efforts, vacation history, reports and reviews, work supervision, personnel controls, and testing.
— policies,
— procedures,
— hiring practices,
— background checks,
— data classifications and labeling,
— security awareness and training efforts,
— vacation history,
— reports and reviews,
— work supervision,
— personnel controls,
— testing.
PHYSICAL.
Another type of control is physical. Physical access controls are items you can physically touch. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with systems or areas within a facility. Examples of physical access controls include guards, fences, motion detectors, locked doors, sealed windows, lights, cable protection, laptop locks, badges, swipe cards, guard dogs, video cameras, mantraps, and alarms.
— fences,
— guards,
— mantraps,
— motion detectors,
— locked doors,
— sealed windows,
— laptop locks,
— cable protection,
— badges,
— swipe cards,
— guard dogs,
— alarms.
— lights,
— video cameras,
0
0